The guy is offering prizes for cracking his NTLM passwords. The catch is they are long passwords 10-15 characters with varying complexity.

The question I have for you all is what strategy would you use to start cracking these passwords?

I was thinking the best way would be to start generating simple lowercase alpha rainbow tables with a length of exactly 15 characters. The second one just seems like it should be the easiest to tackle first. Am I way off?

I actually tried this with one of my CEH classmates. He created a long and complex NTLM password and asked if I could crack it. I had 0phcrack and a set of rainbow tables that was just under 800MB. The problem ends up being that most rainbow tables don't have entries for passwords with spaces in them. So the one I used couldn't do it. So you may need to try a hybrid attack and account for spaces.

You could always use one of the password cracking services out there. You give them a hash, they will eventually crack it. Some services are free other are not. So it may not be worth the time or the money.

the 10 character one should be doable, specially if its an LM hash, he doesnt say if there are LM or NTLM...

the 15 character ones would be quite a bear to crack, i too many people have 15 character NLTM rainbow tables lying around...

have to hybrid/brute force them.

of course when i was doing research for my rainbow tables paper i read that if you could have a 1 character password that no password cracker would ever crack. know what it was? any chracter made with the alt command because password crackers dont check for those characters...

Most services, even the commercial ones, only have NTLM tables for up to 9 characters max. So basically if you want to use rainbow tables, you're going to have to create your own. I've tried a multitude of available resources and tools. It's an interesting practical exercise that's for sure.